IPV6 Ad-Hoc Networks plus Masquerading

Now that I have a dual stack working with IPV6 I decided to test wireless and IPV6.

That posed a problem since the wireless router I use does not support IPV6 and it cannot be upgraded but that would not have helped me since I receive a /64 and you cannot create several networks out of it, let’s say /65, since stateless configuration will break and you need separate networks to route properly.

So what can you do? Well there is a solution.

Use ULA. They are not routable on the Internet so you will be ok.

Use masquerading and IP6TABLES to get to the the Internet.

In order to do this though you need:

A kernel newer than 3.7.

A version of IPTABLES that supports IPV6 and the latest additions for IPV6 NAT.

A Linux box that you can put on that will have IPV6 on the wired and a USB stick for the Wi-Fi interface.

So let’s go to it!

Prep Work

Install the latest kernel using the method your distro supports. I am using 3.8.0-25 on Ubuntu 13.04 in my case. I had to upgrade to 13.04 since 12.10 was a bit behind.

You need at least IPTables 4.18 for NAT to work. Ubuntu 13.04 does not so you will need to download the latest tarball, compile and install.

Configure Interfaces

I am assuming that you have a working IPV6 setup. Further let’s assume that the LAN interface is eth0 and the Wi-Fi interface is wlan0.

Your wlan0 interface should be recognized and setup for IPV6 but do not set it for auto-configure.

Create an ad-hoc network using wlan0, it is similar as creating one for IPV4.

We will use ULA, as a reminder ULA are addresses that are assigned out of the following fc00::/7 prefix.

The prefix above is divided into two prefixes:

fc00::/8

fd00::/8

We will use the latter for our interface.

So configure the address for wlan0 as fd00:x:x:x::1/64, I will recommend that use the prefix you have and replace the first hexit with fd00.

Enable forwarding by issuing the following:

sudo sysctl -w net.ipv6.conf.all.forwarding=1.

Configure Radvd

Now you need to configure radvd so the client can obtain what it needs to route properly.

Test that you are properly masquerading by SSH to a device on your LAN using IPV6. You will notice that the connection appears to be coming from eth0 on the Linux box acting as the router.

Next try ipv6.google.com you should be there. The rule set above is very basic, one saving grace is that we are using non-routable addresses so sniffing of your Wi-Fi clients will be difficult but not impossible. Still some consideration should be given to a more specific rule set for the purpose of testing it as a proof of concept it is good enough.

Of course handling addresses via DHCPV6 would be better, besides authentication to join your wireless network that you should use, you can enforce MAC address filtering so only those devices you want can join your Wi-Fi network. But that will be the topic of another post.